Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.

Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level overview of the recently approved version of the Draft Act.

The Draft Act has been revised to replicate many of the concepts and obligations which are common across global data protection laws and in particular the GDPR. We have highlighted some of those key obligations below.

Key definitions
The new law has some key definitions which are similar to data protection laws elsewhere:

“Personal data” is broadly defined as information that is able to directly or indirectly identify a living individual.
“Data controller” is a person (whether a natural or legal person) who has authority to make decisions on collection, usage or disclosure of Personal Data.
“Data processor” is a person (whether a natural or legal person) who collects, uses or discloses Personal Data in compliance with the orders of data controller.
Extraterritorial application
The Draft Act regulates both data controllers and data processors, whether or not they are in Thailand, who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens). This means that organizations outside of Thailand may be subject to the Draft Act.

General protections
Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of personal data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction under the law or contract on revoking such consent.

Collection of personal data
Collection of personal data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the data controller. The data controller must inform the data subject of the following, prior to or at the time personal data is collected:

the purpose of the collection;
the personal data to be collected;
to whom the personal data might be disclosed;
contact information of the data controller; and
the rights of the data subject.
This information would usually be provided by way of a collection notice.

Except under limited circumstances prescribed under the Draft Act, personal data must be collected directly from the data subject. Also, the collection of sensitive personal data, such as religious belief, political preference, sexual behaviour or medical records, is prohibited except under limited circumstances prescribed under the Draft Act or ministerial regulation. Examples of the permitted circumstances for collection of sensitive data include where sensitive data is collected to protect or prevent harm to a person’s life, body or health, or to comply with any legal requirement on the data controller.

Cross-border transfer of personal data
Personal data can only be transferred to a country with rigorous data protection measures and in accordance with guidelines to be prescribed by the Personal Data Protection Committee, unless:

the transfer is made pursuant to any applicable law;
consent is obtained from the data subject;
the transfer is in compliance with the contract entered into between the data subject and the data controller;
the transfer is in the interests of a data subject who is incapable of giving consent; or
as otherwise prescribed by ministerial regulation.
Rights of data subject
A data subject is entitled to access his/her own personal data which is held by the data controller, or to request the data controller to disclose the sources of information where such personal data is collected without his/her consent. In the event that the data controller fails to comply with any provision of the Draft Act, a data subject is entitled to request the data controller to delete, destroy, temporarily suspend the use of or anonymize personal data.

Fines and penalties
Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.

Grandfathering provisions
The data controller may continue to use personal data collected prior to the date that the Draft Act comes into force, provided that:

such personal data is only used for the purpose for which it was originally collected; and
a mechanism is made available and publicised by the data controller for the data subject easily to request deletion of his/her personal data.
Next steps
If the council of state approves the Draft Act, the Draft Act will be forwarded to the Thai cabinet and subsequently to the national legislative assembly for approval before coming into force. No official time frame for this process has been announced so it is difficult at this stage to anticipate the enactment date of the Draft Act.

Takeaway
The Draft Act means that companies doing business in Thailand or handling the data of Thai citizens will need to reconsider their policies and procedures for handling personal data in accordance with the new law once passed. Fortunately, it seems that the approach taken under the Draft Act is not inconsistent with many major data protection laws around the world, so companies with a robust data protection regime in place may not have to make too many changes to accommodate the new law.